FBI officials issued an alert this week that phishing attacks targeted at businesses worldwide have soared to a $3.1 billion scam in the past 18 months. A new technique employing data theft has been put into play since this latest tax season.
Specifically, the FBI focused on business email compromise (BEC) scams as the root cause of this increase. According to the bureau's June 14 alert:
The BEC scam continues to grow, evolve, and target businesses of all sizes. Since January of 2015, there has been a 1,300% increase in identified exposed losses. The scam has been reported by victims in all 50 states and in 100 countries. Reports indicate that fraudulent transfers have been sent to 79 countries with the majority going to Asian banks located within China and Hong Kong.
Cyber-criminals are spending time studying and monitoring their potential victims to get to know them before launching the scam, learning to accurately identify them and protocols needed to conduct wire transfers from their specific company or business environment to the would be cyber thieves.
Armed with this knowledge, cyber-criminals go to work in a targeted fashion, specifically by impersonating the CEO or some other high-level executive at the company to extract money or additional information that could lead to financial gain down the line, according to the bureau.
The FBI advisory noted there are five scenarios that cyber-attackers use in these BEC scams, of which one is relatively new. It emerged with this year's tax season.
When the FBI issued its warning in April about the new BEC scam that involved data theft, the losses to companies worldwide stood at $2.3 billion. In a mere two months, the losses mushroomed by $800 million to reach $3.1 billion today.
Under this new scenario, the attackers request either wage or tax statement information, like W-2s, or a company list of Personally Identifiable Information (PII). The employees who cyber-criminals request these items from typically work in human resources, bookkeeping, or the auditing departments.
- In one of the other four business email scams, the con artist dupes a foreign supplier through email, a fax, or a phone call, into wiring an invoice payment to a bogus account.
- A second scam requires the hijacking of a company executive's email account and sending a request to an employee who normally processes wire transfers, asking that funds be wired to bank X, which the attacker can access.
- A third scam involves hacking an employee's personal email account and using it to send invoice payment requests to various vendors that the company uses. The funds are then deposited into the cyber thieves' bank account.
- Finally, the FBI notes a scam involving a cyber-criminal who poses as an attorney in an email or a phone call and claims to be handling a time-sensitive or confidential matter. The cyber-criminal pressures the employee to transfer funds into a bogus account.
The FBI suggests victims notify the agency and file a complaint, regardless of the size of the loss.